Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    /var/log/filter.log format? way to convert to NCSA (CLF) format?

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mastry0da
      last edited by

      What format is the /var/log/filter.log stored in? Is anyone aware of any command line tool that may be available to convert the filter.log to the NCSA (CLF) format?

      thanks in advance,
      -m

      1 Reply Last reply Reply Quote 0
      • M
        mastry0da
        last edited by

        it appears pfsense 2 includes a filterparser, but it doesn't appear to output in NCSA format?

        /usr/sbin/clog -f /var/log/filter.log | /usr/local/bin/filterparser.php

        i also found this:
        http://splunk-base.splunk.com/answers/25292/parsing-pfsense-logs-part-2

        but again no mention of NCSA format? any help anyone could provide would
        be most appreciated!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          NCSA/CLF is a web server access log format, not a firewall log format.

          I suppose someone could, using filterparser.php as a guide, make it output in some other format, but that still wouldn't help change a firewall log to a web server log format, the two aren't compatible/equivalent in that way.

          What is it you're trying to use to parse the firewall log that wants it in that format?

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • M
            mastry0da
            last edited by

            Logstalgia… Thought it would be cool to use "apache pong" for "pf pong"...

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              That can't work for firewall logs. It's meant for web access logs, not firewall/filter logs.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • M
                mastry0da
                last edited by

                could you point me at a reference for reading the log format?

                if not could you possibly break down this example packet for me?

                pf: 00:00:00.306610 rule 1/0(match): block in on msk1: (tos 0x20, ttl 40, id 33721, offset 0, flags [none], proto UDP (17), length 58)

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  @mastry0da:

                  could you point me at a reference for reading the log format?

                  if not could you possibly break down this example packet for me?

                  pf: 00:00:00.306610 rule 1/0(match): block in on msk1: (tos 0x20, ttl 40, id 33721, offset 0, flags [none], proto UDP (17), length 58)

                  They are standard pf logs, so OpenBSD may have some documentation.

                  Or: Use the source - https://github.com/pfsense/pfsense/blob/master/etc/inc/filter_log.inc#L136

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.